CVE-2026-3368

The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitizeigdata function which only sanitizes array values but not array keys,...

CVE-2025-14808

IBM Security Bulletin confirms CVE-2025-14808 in IBM InfoSphere Information Server, describing a sensitive information disclosure via the query string of HTTP GET requests. Affected versions: InfoSphere Information Server 11.7.0.0–11.7.1.6. Root cause: exposure of sensitive data in a GET request;...

CVE-2025-14808

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques...

CVE-2025-14808 IBM InfoSphere Information Server is vulnerable due to disclosure of sensitive information

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques...

PT-2026-28109

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques...

CVE-2026-32066

OpenClaw has a memory-exhaustion vulnerability in the Zalo webhook endpoint present before version 2026.3.1. The issue allows unauthenticated attackers to trigger unbounded in-memory key accumulation by sending repeated requests with varying query strings to the same webhook route, causing memory...

GO-2026-4742 Heimdall: Path received via Envoy gRPC corrupted when containing query string in github.com/dadrus/heimdall

Heimdall: Path received via Envoy gRPC corrupted when containing query string in github.com/dadrus/heimdall...

CVE-2026-28461 OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn

OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different que...

CVE-2026-28461 OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn

OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different que...

Heimdall: Path received via Envoy gRPC corrupted when containing query string

Summary When using heimdall in envoy gRPC decision API mode, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. The HTTP based decision API is NOT affected, and proxy mode is NOT affected either. Note: The issue can only lead to unintended acces...

CVE-2026-32263 Craft CMS vulnerable to behavior injection RCE via EntryTypesController

Craft CMS is a content management system CMS. From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parsestr is passed directly to Craft::configure without Component::cleanseConfig. This allows injecting Yii2 behavior/event handlers via...

CVE-2025-14811 IBM Sterling Partner Engagement Manager Information Disclosure

IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques...

CVE-2026-31816

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...

CVE-2026-31816 Budibase Universal Auth Bypass via Webhook Query Param Injection

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...

CVE-2026-31816

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...

EUVD-2026-10358

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...

EUVD-2026-10359

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...

Budibase 注入漏洞

Budibase is an open-source low-code platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Budibase versions 3.31.4 and earlier have a injection vulnerability. This vulnerability stems from the authorized...

PT-2026-24118

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.31.5 Description Budibase is a low code platform used for creating internal tools, workflows, and admin panels. A flaw exists in the server's authorized middleware, which is designed to protect server-side API...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution (CVE-2025-13465, CVE-2025-61140) and denial of service (CVE-2025-15284)

Summary Node.js modules lodash, qs and jsonpath are used by IBM App Connect Enterprise Certified Container. All IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution CVE-2025-13465, CVE-2025-61140 and denial of service CVE-2025-15284. This bulletin...